Not really: Song et al discovered that you don't need training data from the user you're surveilling. A lot of people touch-type the same basic way, and timing data from one user is still useful for speeding up a password search from another user.

As with dictionary attacks, no amount of data is ridiculous if you can collect it yourself, off-line, in advance, and use it over and over.

"We pick a character pair and ask the user to type this pair 30-40 times, returning to the home row each time between repetitions. For each user, we repeat this for many possible pairs (142 pairs, in our experiments) and gather data on inter-keystroke timings for each pair. We collected the latency of each character pair measurement and computed the mean value and standard deviation."

The training data wasn't universally applied between users either. They had better results between certain users than others.

I'm not saying it isn't possible, I'm saying it's a lot more effort than something like sneaking a hidden camera in or out, since you'd have to sneak out the audio recordings anyway. Unless you're going to be on the spot analyzing that in your head. It's ridiculous the way killing James Bond with sharks is ridiculous. Yeah they'll farking eat him but it's faster to just shoot him in the face without talking about it.

Actually, how would you grab the training data without filming it or installing a keylogger in the first place? Assuming it's on a PC rather than a typewriter. But if you have a keylogger on the machine then you already have passwords. Yes, you could conceivably crack new passwords later from training data and while that's a long game, the kind of machines most people would have access to for that aren't for the kind of people you would run a long game against like that.

Is there another way to retrieve training data that doesn't require key value logging like that?

Miss Alexandra:I don't know how true this is, but I've read somewhere that the real reason for banning lead paint was so walls could be seen through. Not sure of the veracity but it's something to think about.

Ok, let's think about it. The health risks of lead are well documented. Lead paint isn't thick enough to block anything.

Xcott:Encryption pads are never reused, except when some dimwit did reuse them.

I don't think the Soviets were being dimwits, necessarily. It seems that they tried to 'stretch' their limited OTP generation capability during the extremely chaotic beginning of WWII for them by reusing a relatively small number of pad pages.

Don't forget that Venona managed to decode only something like 1 to 3% of the total amount of Soviet traffic that the US intercepted, and it took years to get much of it (though some was decoded quickly).

Back then, they may have believed that they could safely re-use the pads, if they did it in a limited way. They used code-names for people, organizations, and projects, and they may have decided that the slight risk was acceptable.

We have something they didn't have: A historical example of why it's a very bad idea, the revelations about the Venona Project.

One time pads were relatively new in 1941, having been invented back around 1920 or so. Today, we know better.

Xcott:Typewriter ribbons present a security weakness and opportunity for surveillance even though, by official policy, they are supposed to be burned.

I've got an old Olivetti Lettera 32 manual typewriter. It's got a cloth ribbon that is at least 30 years old. It's been reused numerous times, so much so that I doubt that you could pull any useful information off of it. Each part of that ribbon has been hit by so many different letters and numbers that I can't see how any amount of analysis could possibly pull any intelligence off of it.

Cloth ribbons are fundamentally different than the plastic ribbons used by later typewriters: Plastic ribbons can be read by eye easily, and they can't really be re-used over and over again like a cloth ribbon.

dittybopper:Xcott: dittybopper: Color me skeptical that you could ever make it work consistently. After all, the most simple countermeasure would be to just type slowly in an even rhythm, or to consciously vary the timing.

Yes, and the simple countermeasure to fingerprint detection is to wear gloves. That's why fingerprints never helped convict a criminal---because everyone just started wearing gloves all the time starting in 1892.

Seriously, how many people do you expect to suddenly decide to type slowly in an even rhythm to prevent timing attacks on their computer? Even people aware of the need for that kind of countermeasure are going to try that for 30 seconds and say "fark it." Countermeasures are effectively a non-issue. It's like pointing out that you can defeat speaker identification by talking like Meatball all the time---great, but nobody does that, and nobody's going to do that.

Actually, you can make this completely moot by simply doing your typing in a secure facility. Which is where you were going to store the documents anyway.

Again, we're discussing people for whom security isn't some afterthought, but a way of life, and they are guarding secrets that you have no clue how tightly they are held. I've been inside that world.

For very limited distribution, highly sensitive documents, where you can't afford to have them leaked, typing them directly onto paper instead of into a computer, where some nosy sysadmin might grab them, or some disgruntled worker might snarf on to a thumb drive . That way the only real copy is paper, and paper is harder to sneak out of a secure facility than electronic data on something as small as a thumb drive or a microSD card.

How many typewritten documents do you think you could sneak past the guards that are there specifically to prevent that sort of thing?

Plus, with paper, if you take the only copy, it's ...

Type at a constant rate of characters, lol. I can see the want ads now. Wanted: typist who can't type and can't learn. Must have no credit issues and be able to hold a top secret/TSC clearance. Do you really think that the Russians bothered to bug the noise IBM selectrics made in an insecure location?

I think the big question is, are they storing plaintext or cipher text in the file drawers. Ciphertext would be a pain, but vastly more secure than anything the NSA uses. Any camera will let you put as many hardcopies you want on a SDHC (and the camera is only barely larger. Smart installations will shoot you for the SDHC as soon as the camera). It might be slightly less clunky, but I'm sure that the Russians will be far more to the point if they have to put everything in hardcopy to a manual typewriter instead of thousands of slides of power point. You could send the NSA some ciphertext, but the whole point of the place is they are already getting tons of that anyway, what they need are the keys and the plaintext.

"Again, we're discussing people for whom security isn't some afterthought, but a way of life, and they are guarding secrets that you have no clue how tightly they are held. I've been inside that world." - Dittybopper

So was Snowden. So was Manning. Security is hard: screw up once and it is over. Attacking is easy, a .001 average means you got what you wanted.

Fullmetalpanda: dittybopper: Actually makes sense, and it's why I use a manual typewriter to make one time pads: No data remanence issues.

Note that if you are copying a sufficiently slow source of random data (i.e. you get the next character after you typed the last one) it is next to impossible to determine the keypress. Typing ciphertext is going to brutal to descramble (all errors won't be recovered and will really screw up decryption attempts. Will be utterly useless for codebreaking). Type cleartext and I bet you will never manage to get the rhythm off enough after doing it for awhile.

Hitlersbrain:I seriously doubt these guys were ever REALLY a super power. More like a super hyped paper tiger.They have had the most effective space program from the 1950s to 2013, with a small break when they lost their vision of simple craft with the N1 (i.e. when we went to the moon). They also have had the bomb (including Sakharov's H-bomb) for a good long time (conquering Nazi Germany helps bring in a few spoils). US spy agencies had to lie their tounges black over their conventional firepower, because they really weren't in a position to invade anybody outside the Iron Curtain. They also managed to do all this starting from a mideval kingdom in the early twentieth century that was invaded twice during the whole process; the Romanov in charge of the Army didn't care that he only had "two weeks" worth of bullets before WWI (note that all sides assumed they would shoot about 1% of what they actually used) because "things would be decided with lance and saber as always". Makes you wonder how far we would be ahead if we were the ones who tried communism.

BTW, you can get pretty good security from a strip cipher similar to this, if you use a large enough number of strips, and use dice and Scrabble tiles to generate the strips and the keys (ie., strip order), especially for relatively low amounts of traffic.

yet_another_wumpus:So was Snowden. So was Manning. Security is hard: screw up once and it is over. Attacking is easy, a .001 average means you got what you wanted.

That's precisely my point: Using typewriters instead of computers makes it harder for a Snowden or a Manning to get as many documents, or documents as sensitive.

Both had essentially unlimited access to a metric farkton of classified data. Putting stuff on paper locked in a SCIF, it having never been electronic in nature, limits the possibility of exposure compared to purely electronic documents, but it doesn't completely remove the danger. It just makes it harder.

StaleCoffee:Actually, how would you grab the training data without filming it or installing a keylogger in the first place?

I told you: Song et al observed that you can use training data from one user to help brute-force another user's typing, because there are common timing patterns among touch typists. It's not as good as having data from the target, but it still helps.

So you don't need to install a keylogger on the target's computer to collect his data; you just collect a mountain of training data from your own subjects. You develop a universal background model for touch-typing behavior. Then you use that model to spy on each of your targets, or to analyze sound recordings of touch typing by whomever.

StaleCoffee:I'm not saying it isn't possible, I'm saying it's a lot more effort than something like sneaking a hidden camera in or out, since you'd have to sneak out the audio recordings anyway.

Sneaking a camera in or out requires physical access to the target's location. Keystroke timing can be accomplished remotely, for example by monitoring the timing of packets in an encrypted stream, or somehow gaining audio access such as the sound of typing in a phone call or video chat session.

Xcott:Encryption pads are never reused, except when some dimwit did reuse them

Which is why the weakest part of most security systems is the dimwits that use them and within any organization you're going to have at least a few dimwits and in a large organization you're going to have a lot of dimwits.

gfid:Xcott: Encryption pads are never reused, except when some dimwit did reuse them

Which is why the weakest part of most security systems is the dimwits that use them and within any organization you're going to have at least a few dimwits and in a large organization you're going to have a lot of dimwits.

Yeah, but manual, paper OTPs are about as foolproof a solution as you are going to find. The rules are simple, and when followed, they *WORK*.

But if you can't get someone to follow the simple rules (use pad once, then destroy as soon as you encrypt or decrypt), then they aren't going to follow the rules for any other system.

The thing is, though, if they fail to destroy a pad or pads, and they are discovered, that only lets whoever found them break the messages encrypted with those pads. It doesn't provide a general way into the system like revealing a key for a non-OTP system.

For example, this pad page is compromised:

But the fact that page 704 is compromised doesn't help anyone decrypt messages I might send using page 705, or 703, or 710, or any other page in that pad. In other words, there isn't a general solution to the one time pad, where a single piece of information can be used to compromise the whole system.

That's why Venona isn't as damaging as it could have been to the Soviets. We could only decrypt the messages that used the same pad pages.

dittybopper:Yeah, but manual, paper OTPs are about as foolproof a solution as you are going to find. The rules are simple, and when followed, they *WORK*.

That's not what "foolproof" means. OTPs are actually the opposite of foolproof: they fail catastrophically when people cut a few corners or make a few mistakes, and the onerous key requirements actually encourage those mistakes.

OTPs are fragile in the sense that if someone ever cuts a corner and reuses a pad, anyone who intercepts your transmissions can immediately detect the reuse, and it's not that hard to extract the messages in full when this happens. It's hard to express just how embarrassingly bad this is by modern standards: a cipher should never fail this dramatically when a key is misused or used past its mandated lifetime.

On top of this, the OTP requires that key material be written down and stored in two different places, which again is pretty awful security by modern standards, or even 1970s standards. You should only need a key or passphrase that you can memorize---you should never have to write down a key---and you shouldn't have to share it with anyone, even the person with whom you are communicating.

The only reason to use an OTP is that the encryption method is theoretically unbreakable if all practical matters are ignored. But you only needed that theoretical unbreakability 40-50 years ago, before people figured out how to make reliably strong cipher algorithms. And when you factor in the practical matters, it's a real D- of a cipher.

This is why cryptographers are conditioned to hear "one-time pad" and think "crackpot." If you're writing cryptographic software and you want to guarantee that people will declare it snake oil, use the phrase "one-time pad" in the marketing copy.

Xcott:dittybopper: Yeah, but manual, paper OTPs are about as foolproof a solution as you are going to find. The rules are simple, and when followed, they *WORK*.

That's not what "foolproof" means. OTPs are actually the opposite of foolproof: they fail catastrophically when people cut a few corners or make a few mistakes, and the onerous key requirements actually encourage those mistakes.

OTPs are fragile in the sense that if someone ever cuts a corner and reuses a pad, anyone who intercepts your transmissions can immediately detect the reuse, and it's not that hard to extract the messages in full when this happens. It's hard to express just how embarrassingly bad this is by modern standards: a cipher should never fail this dramatically when a key is misused or used past its mandated lifetime.

On top of this, the OTP requires that key material be written down and stored in two different places, which again is pretty awful security by modern standards, or even 1970s standards. You should only need a key or passphrase that you can memorize---you should never have to write down a key---and you shouldn't have to share it with anyone, even the person with whom you are communicating.

The only reason to use an OTP is that the encryption method is theoretically unbreakable if all practical matters are ignored. But you only needed that theoretical unbreakability 40-50 years ago, before people figured out how to make reliably strong cipher algorithms. And when you factor in the practical matters, it's a real D- of a cipher.

This is why cryptographers are conditioned to hear "one-time pad" and think "crackpot." If you're writing cryptographic software and you want to guarantee that people will declare it snake oil, use the phrase "one-time pad" in the marketing copy.

I'm a former Signals Intelligence professional (go ahead and google 'ditty bopper').

Since I've been out of that business, it's been a bit of a serious hobby for me. To the best of me knowledge, I was the first one to publish the idea of using 10-sided dice to generate OTPs, and as you can see I've also experimented with other manual methods of encryption.

There is a reason that numbers stations still exist, and why those stations still transmit their messages using one time pads: Because when used properly (especially avoiding the use of a computer), they are forever safe.

Think about that: No one needs higher security than spies, and what do they use? OTPs.

dittybopper: There is a reason that numbers stations still exist, and why those stations still transmit their messages using one time pads: Because when used properly (especially avoiding the use of a computer), they are forever safe.

Yes, except for the part where you have to write the key down on lots of paper, keep it somewhere, and give a copy of that paper to someone else. And repeat this process for each person with which you need to communicate.

In exchange for that embarrassingly bad security, you get a theoretically unbreakable cipher---theoretically unbreakable under the questionable assumption that nobody can intercept and record the key material.

In contrast, you could use a modern cipher, which doesn't require you to share your decryption key with anyone, or store it anywhere, written or otherwise, even if you want to communicate securely with a network of 2,000 separate people. In exchange for that far more acceptable level of security, the cipher is no longer theoretically perfectly secure: it will only be unbreakable for the lifetime of the universe, rather than forever. Boo hiss.

Of course, your adversary could find a way to invent a nondeterministic computer to brute-force all 128-bit keys in an eyeblink, or solve the Elliptic Curve discrete log problem or find a flaw in AES. So to prevent those very real possibilities, let's instead use a 100-year-old cryptosystem that could only be broken by a dude with impossible sci-fi technology like lockpicks and a camera.

dittybopper:To the best of me knowledge, I was the first one to publish the idea of using 10-sided dice to generate OTPs, and as you can see I've also experimented with other manual methods of encryption.

I forgot to add: I can't tell from the photo, but do those dice have sharp edges?

A lot of dice are injection molded and then tumbled to smooth their edges, and you should not be using them to generate cryptographically secure random data. Dice are less uniform than people think---casinos are really the only ones who obsess about exacting quality standards in dice, and really they only care about D6s.

But again, the main security risk of a OTP is not some analyst finding a tiny bias in your dice, but simply intercepting and scanning the key material after you necessarily write it down and give a copy to someone else.

Xcott:dittybopper: There is a reason that numbers stations still exist, and why those stations still transmit their messages using one time pads: Because when used properly (especially avoiding the use of a computer), they are forever safe.

Yes, except for the part where you have to write the key down on lots of paper, keep it somewhere, and give a copy of that paper to someone else. And repeat this process for each person with which you need to communicate.

That's a feature, not a bug.

In exchange for that embarrassingly bad security, you get a theoretically unbreakable cipher---theoretically unbreakable under the questionable assumption that nobody can intercept and record the key material.

You get around that by *PHYSICALLY* transferring the pads.

If you and I are communicating, meeting once every 6 months or so to exchange pads, or even through a dead drop, or even through the mail, is not a significant burden.

It's a trivial exercise to make a tamper-evident package around the pads so that you can tell if they've been compromised. If they have, you've got two choices: Don't use them, or use them to send deliberately misleading messages.

In contrast, you could use a modern cipher, which doesn't require you to share your decryption key with anyone, or store it anywhere, written or otherwise, even if you want to communicate securely with a network of 2,000 separate people. In exchange for that far more acceptable level of security, themisleading cipher is no longer theoretically perfectly secure: it will only be unbreakable for the lifetime of the universe, rather than forever. Boo hiss.

Of course, your adversary could find a way to invent a nondeterministic computer to brute-force all 128-bit keys in an eyeblink, or solve the Elliptic Curve discrete log problem or find a flaw in AES. So to prevent those very real possibilities, let's instead use a 100-year-old cryptosystem that could only be broken by a dude with impossible sci-fi technology like lockpicks and a camera.

Or they could put a keylogger and/or trojan on your computer, and just read whatever it is you send before it gets encrypted. Which is the simple way to do it, and needless to say, isn't as computationally intensive as trying to crack modern computerized ciphers.

You can't put a keylogger or a trojan on a pencil. In order to spy on someone using an OTP, you need *PHYSICAL* access, which is much harder than infecting the computer of the person you wish to spy on.

Xcott:dittybopper: To the best of me knowledge, I was the first one to publish the idea of using 10-sided dice to generate OTPs, and as you can see I've also experimented with other manual methods of encryption.

I forgot to add: I can't tell from the photo, but do those dice have sharp edges?

A lot of dice are injection molded and then tumbled to smooth their edges, and you should not be using them to generate cryptographically secure random data. Dice are less uniform than people think---casinos are really the only ones who obsess about exacting quality standards in dice, and really they only care about D6s.

This is where I can tell that you've gotten your information about cryptography from non-professional sources.

Despite what you may have read, OTPs don't have to be perfectly mathematically random. They just have to be random enough in a non-deterministic way. In other words, if you roll a sequence like 77324, there can't be a way to mathematically derive that the next number is going to be 5, for example.

Also, you'd have to contend with the fact that any statistical anomaly in any one particular die is going to be submerged by the fact that there are 4 other dice being rolled (I roll 5 at a time to generate a single "group"), and there is no way to determine what the order is. Did a 7 come up in the 3rd position of a group because Die A, which has a slight bias towards 7 was in the 3rd position during that particular roll, or was it Die B, C, D, or E? No way to derive that information, even if you actually have the pad itself to analyze.

But again, the main security risk of a OTP is not some analyst finding a tiny bias in your dice, but simply intercepting and scanning the key material after you necessarily write it down and give a copy to someone else.

This isn't a big deal. Physical custody of something the size of a matchbook is relatively easy to maintain securely. You just keep it on your person.

For the pads you aren't using, you can secure them in tamper evident packaging. So long as you can tell that the pads have been interfered with in some way, security is maintained. In fact, it might actually work to your advantage: If you know the pads have been tampered with, you can send false information. Opaque, tamper-evident packaging is relatively easy to make. I like aluminum foil and superglue. It's opaque visually and to any kind of electromagnetic radiation they might try to use to read it, it's simple, and it's available.

Here is how it might work: A pad might be, say, 10 pages. Each pad is wrapped securely in aluminum foil and glued shut with a bit of thread sticking out so you can open them easily. You use a paint marker to make some marks along the seams so you can tell if the pad has been opened by other means.

The pad that you are currently can either stay on your person, if you live in a jurisdiction like the United States, or, if necessary, a nice hidden place in your home.

The point being, in order to copy the pads, any potential cryptanalyst needs *PHYSICAL* access to them. That's hard to do undetected. Not impossible, but you can make it so hard that it's just not practical.

With computerized cryptography, you don't need physical access to the machine. Unless it's a stand-alone computer, any potential adversary can side-step computationally intensive cryptanalysis by simply putting a keylogger on that computer and reading the plaintext at their leisure.

I'm not saying that OTPs are the be-all, end-all of cryptography. For most communications, you don't need the security that OTPs provide. Hell, I don't even use them, I just experiment with them, because I don't have an actual *NEED* for that much security. From a convenience standpoint, if I were to need a method to communicate with someone (and to keep the encryption offline to prevent keyloggers or trojans from being a security issue), I'd use a wheel/strip cipher. Secure enough, very easy to use, and because you never have to write down the plaintext, computer intrusions aren't a problem.

But, if you need the ultimate in security, there really is literally nothing better than an OTP, and it can be implemented without any modern technology.

I should point out again that I'm a crypto-weenie going back at least 30 years, I've been in the signals intelligence business, and I'm also a senior programmer/analyst, so I'm up on all the latest computer security stuff.

dittybopper:You get around that by *PHYSICALLY* transferring the pads.

Of course you physically transfer the pads. They're on paper. How does that "get around" interception?

I remind you that an adversary can intercept those pads any time before they are used. They are not limited to intercepting at the moment of handoff. Hand them off in person, use a tamper-evident package and a masonic handshake; none of that stops someone from photographing them after they wind up in a recipient's house or hotel room or wherever else he has to take them or may leave them by mistake. And no, that's not a "feature," it's a vulnerability that no other cipher has.

The OTP has theoretically perfect security if there are no key issues, but it also has theoretically worst-case key issues, and key issues are far more important to security than a theoretical difference between a quadrillion years and infinity years to crack the cipher. There's a reason why the federal government went nuts trying to tamp down the spread of public-key cryptography and modern block ciphers, going so far as to classify strong crypto as munitions under export control law; but at the same time they didn't give two craps whether you and some dude in Finland communicated with "perfect secrecy" using a typewriter and slightly malformed children's toys.

Or they could put a keylogger and/or trojan on your computer, and just read whatever it is you send before it gets encrypted.

If you're that paranoid, use a computer disconnected from the network booting from a live CD. Move the ciphertext with a flash drive---or if you're utterly paranoid, print the ciphertext and OCR it.

Xcott:dittybopper: You get around that by *PHYSICALLY* transferring the pads.

Of course you physically transfer the pads. They're on paper. How does that "get around" interception?

It's pretty simple. If Alice physically hands the pads to Bob, how is Eve going to get access to them?

I remind you that an adversary can intercept those pads any time before they are used. They are not limited to intercepting at the moment of handoff. Hand them off in person, use a tamper-evident package and a masonic handshake; none of that stops someone from photographing them after they wind up in a recipient's house or hotel room or wherever else he has to take them or may leave them by mistake. And no, that's not a "feature," it's a vulnerability that no other cipher has.

Physical access to the pads is a much, much, *MUCH* more difficult issue that slapping a keylogger or a trojan on the computer of an adversary. Think of all the places you can hide something the size of a pack of cigarettes in your house. A package that size could hold a *LOT* of OTPs, even ones done by a conventional manual typewriter.

Be creative. Right in front of me, within arms reach, I've got several electronic devices that I could open with a screwdriver and hide the pads within.

Now think about how long it would take to physically search your home thoroughly, find them, open them up, photograph them, and replace them such that the tamper-evident packaging isn't disturbed. Do you think it's practical for anyone, even a government, to do that without leaving some sign that they did it?

This is why secret agents still use manual one time pads. When actual physical access is required in order to copy the pads, you can arrange the circumstances so that if they manage to gain physical access, you will know about, and can take the appropriate steps.

The OTP has theoretically perfect security if there are no key issues, but it also has theoretically worst-case key issues, and key issues are far more important to security than a theoretical difference between a quadrillion years and infinity years to crack the cipher. There's a reason why the federal government went nuts trying to tamp down the spread of public-key cryptography and modern block ciphers, going so far as to classify strong crypto as munitions under export control law; but at the same time they didn't give two craps whether you and some dude in Finland communicated with "perfect secrecy" using a typewriter and slightly malformed children's toys.

That's because realistically, they know there isn't anything they can do about it.

Strong crypto software itself can be classified as munitions, but the algorithms themselves can't be. That's how Phil ZImmerman got around that problem with the exportation of PGP: He published in book form, and it then enjoyed First Amendment protections. That's why you can post the plans for building bombs, machine guns, and all manner of weaponry without falling afoul of export control laws about munitions.

Let's say I design some new super-missile that's better than anything anyone else has. I could publish the precise plans for it and not run afoul of any laws.

Or they could put a keylogger and/or trojan on your computer, and just read whatever it is you send before it gets encrypted.

If you're that paranoid, use a computer disconnected from the network booting from a live CD. Move the ciphertext with a flash drive---or if you're utterly paranoid, print the ciphertext and OCR it.

What about the plaintext? Hell, if they can gain physical access to snatch pads, why can't they do so to install a keylogger on your offline machine? Hell, why couldn't they install something in it to transmit that data to a receiver a short distance away? Or just go ahead and listen for the unique radiation that your machine unintentionally generates?It's a hell of a lot easier to enter a house, find the computers, and surreptitiously install software in them undetected than it is to toss the entire house looking for something small that could be hidden in practically *ANYTHING* with a volume bigger than, say, 5 or 10 cubic inches (and that could be split up among multiple locations), open up the packaging, photograph the individual pads, and then replace them undetected.

I should point out that's an old pad, btw: I've experimented further, and I've found that if you glue 3 of the edges for the pages along with half the edge of the 4th edge, you can easily remove each page by tearing it off, but it prevents people from effectively being able to copy the pages underneath without it being detected.

dittybopper:Despite what you may have read, OTPs don't have to be perfectly mathematically random. They just have to be random enough in a non-deterministic way. In other words, if you roll a sequence like 77324, there can't be a way to mathematically derive that the next number is going to be 5, for example.

Wow, that's ... really, really, really false.

By definition, perfect secrecy requires that the a priori plaintext distribution equals the a posteriori distribution. That's an absolute requirement, and if you don't meet that, then there's really no point in putting up with all the other crap to use the cipher.

This means that it's not sufficient for the pad to be "random enough in a non-deterministic way." It has to have a specific kind of distribution that makes the plaintext and ciphertext independent. A uniform distribution achieves this, and an arbitrary non-uniform distribution does not.

If you want a simple example, here is a OTP-encrypted text (mod 26) where the pad is severely biased toward Z (90%) but it's still "non-deterministally random":

"WFENAHLYOUHAVEISAKAMMEREVERYTHINGLOOMSLIKLANADL"

You're telling me that nobody can deduce what this says because the noise, while slight, is non-deterministic? Har har, nobody will ever read my message because they can't prove what I said with 100% certainty! But wait, no, this is trivial to read. In fact, with a biased pad, certain plaintext values become more likely and certain values less likely. This violates perfect secrecy.

You may argue that a small bias, like 1-2%, doesn't make much of a difference. But then, your messages are no longer "forever safe." They are now vulnerable to the same impractical brute force analysis that you get with any other cipher.

dittybopper:Also, you'd have to contend with the fact that any statistical anomaly in any one particular die is going to be submerged by the fact that there are 4 other dice being rolled

Unless, of course, the dice are from the same set, and have the same mold and the same oblateness on the 4-5 axis. Have you ever subjected your dice to the stack test?

I mean, think about it: these are literally children's toys. You are attempting to achieve the ultimate in security by using children's toys. Board games have no insanely precise requirements for dice output uniformity, so there is zero reason for a manufacturer to obsess over something like that. Half of the time they throw the friggin' things into a rock tumbler to make them smooth and shiny.

/Nothing you can't find in an undergrad crypto textbook//I recommend Trappe and Washington, or Stinson but only 1st ed.

dittybopper:Physical access to the pads is a much, much, *MUCH* more difficult issue that slapping a keylogger or a trojan on the computer of an adversary. Think of all the places you can hide something the size of a pack of cigarettes in your house. A package that size could hold a *LOT* of OTPs, even ones done by a conventional manual typewriter.

I don't think you're thinking this all the way through. If you are operating under the paranoid assumption that an attacker will break into your house to install a key logger on your computer, then it doesn't matter how well you can hide a thing in your house. The hypothetical spook can simply install a camera in your house and just see you take it out of its hiding place. Especially considering that the onerous nature of OTP encryption requires that you spend a lot of time with them. You're not gonna whip that sucker out for 3 seconds.

And again, you have to rely on not just you, but you and the recipient being equally clever and meticulous and . This is one reason why it makes slightly more sense for a spy to use a OTP: the recipient is a high-security facility, so you really only have one copy of the key in the wild.

dittybopper:Now think about how long it would take to physically search your home thoroughly, find them, open them up, photograph them, and replace them such that the tamper-evident packaging isn't disturbed. Do you think it's practical for anyone, even a government, to do that without leaving some sign that they did it?

"Even a government"? "Tamper-evident packaging?" So the theory here is that US intelligence agencies can bug the whole world, crack modern cipher algorithms and brute-force 128-bit keys with computers that operate with completely different laws of physics, come into your house and install key-loggers that make any use of computers suspect; but they totally can't get past your string-and-aluminum-foil trick?

Xcott, you seem to think that copying physical keys is as simple as copying computerized keys. It's *NOT*. It's a much harder prospect.

But the real clue as to how I know you really don't know what you're talking about is this:

Xcott:In contrast, you could use a modern cipher, which doesn't require you to share your decryption key with anyone, or store it anywhere, written or otherwise, even if you want to communicate securely with a network of 2,000 separate people. In exchange for that far more acceptable level of security, the cipher is no longer theoretically perfectly secure: it will only be unbreakable for the lifetime of the universe, rather than forever. Boo hiss.

You are assuming a brute-force attack.

You know who else assumed their data was safe from a brute force attack?

And that was a safe assumption: Back then, even with the wiring of the Enigma machines compromised, it would have taken thousands of years to step through all the possibilities in a brute-force attack to recover a single day's key settings. Even *WITH* massively parallel operations.

But that's not how Enigma was broken. The Germans knew that in theory it was possible to break Enigma*, but all they could imagine was a brute force attack, and they didn't think even the Allies had the ability to do that in a timely manner.They were wrong.

Hell, according to brute force analysis, a simple strip cipher like the M-138 that uses, say, 25 out of 100 available strips for any given key would have 2.82x1050 possible keys (100*99*98*97...*76*75). If you could brute force test a trillion of those keys a second, it would take 8.95x1031years to brute force those keys. The Universe is only 1.38x1010years old.

This is true of all ciphers that don't use random keys as long as the message itself.

Neither you nor I know if the NSA has developed a method to break any of the modern, "secure" computerized algorithms, and as I pointed out numerous times, because computers are a security *NIGHTMARE*, as I can attest to, they may not have to actually be able to break it in order to read what you are saying anyway. The open literature on the subject is just that: Open.

Neither you nor I know what is possible for the NSA, GCHQ, FAPSI, 3rd Department GSD, or any of the others, are capable of. We can guess, but those are just that: Guesses based upon supposition, that may be valid when made, but not necessarily true 5 or 10 years later.

Manual OTP systems, when the keys are generated, secured, and destroyed properly (and it's not hard to do that) are immune from any kind of cryptanalysis forever. The main problems are with maintaining the security of the keys, but unless you send messages with the frequency of a hyperactive twitter addict, you really don't need the amount of keys you think you need.

And as I pointed out, it's overkill for most applications. I don't care that my bank doesn't use it. Hell, I set up an SFTP process to transfer sensitive medical patient data at my work to an offsite medical system, and I'm not all that concerned that someone might break it and learn that Mary Jane Rottencrotch has chlamydia. I picked a large key size, and it's secure enough for that application.

But, imagine a case where the people listening to you have, for all intents and purposes, unlimited resources. *THAT* is when you might want to use an OTP, especially if the concern is that a message from 20 years ago might come back to bite you in the ass with serious consequences.

*Admiral Doenitz was particularly wary: He rightly was skeptical of the security claims, especially after the Tarafal Bay incident. Unfortunately for him, the resulting investigation by Eberhardt Maertens into the possibility that their communications security was compromised was slip-shod.

Seriously? We can't trust ciphers like 128-bit AES because the Enigma was broken in the 40s?

Comparing the Enigma machine to AES is silly. Enigma was invented long before cryptography was put on any scientific footing, and its design was mostly ad-hoc. It's utterly unlike modern ciphers in terms of the actual scientific and mathematical knowledge used in their design.

Also, the Enigma's design was pretty vulnerable to brute force even in its time. The proper part of the enigma, the time-varying part, only had 17576*60 keys. The only factor that complicated this was a static plug-board that was slapped on just to increase the key size, and this was cracked precisely because it was an ad-hoc addition.

Pointing to Enigma to argue that we shouldn't trust modern block ciphers is like pointing to a WWI biplane to prove that spaceflight is impossible.

Seriously? We can't trust ciphers like 128-bit AES because the Enigma was broken in the 40s?

Comparing the Enigma machine to AES is silly. Enigma was invented long before cryptography was put on any scientific footing, and its design was mostly ad-hoc. It's utterly unlike modern ciphers in terms of the actual scientific and mathematical knowledge used in their design.

Also, the Enigma's design was pretty vulnerable to brute force even in its time. The proper part of the enigma, the time-varying part, only had 17576*60 keys. The only factor that complicated this was a static plug-board that was slapped on just to increase the key size, and this was cracked precisely because it was an ad-hoc addition.

Pointing to Enigma to argue that we shouldn't trust modern block ciphers is like pointing to a WWI biplane to prove that spaceflight is impossible.

It's an analogy.

It's more like saying that a WWI biplane built in 1918 might *JUST* be vulnerable to a fighter built in 1938.

An encryption standard that was invented just 20 years ago *MIGHT* be vulnerable today, but neither you nor I *KNOW* that.

The difference, however, is that I know that I don't know whether there is a valid attack against it that's classified, and you seem to be certain that it isn't.

Xcott:"Even a government"? "Tamper-evident packaging?" So the theory here is that US intelligence agencies can bug the whole world, crack modern cipher algorithms and brute-force 128-bit keys with computers that operate with completely different laws of physics, come into your house and install key-loggers that make any use of computers suspect; but they totally can't get past your string-and-aluminum-foil trick?

Actually, they *CAN* bug the whole world (that used to be part of my job), they *MAY* be able to crack modern cipher algorithms. They almost certainly can't brute-force it. They can install key-loggers and other software remotely (if they can do it to Iran, why not to you?)

They *CAN* get past the string and aluminum foil trick, but not in a way that is completely undetectable, and *THAT* is the real security: Recognizing that you can't completely secure everything, but engineering it so that if they do breech the security, you can detect it relatively easily.

A one time pad that is compromised is a dangerous thing, unless you recognize that it's been compromised, then it's no danger at all.

dittybopper:Think of all the places you can hide something the size of a pack of cigarettes in your house.

I forgot to add: the number of unique hiding places in your house may seem daunting, but it's a laughably small number in cryptographic terms. How many hiding places do you actually think you have in your house? 2**128? A trillion trillion trillion? Just a trillion trillion? A million? A thousand?

If you have a million different hiding places in your house, that's at best a 20-bit key. You're taking your perfect ideal unbreakable pad (well, at least as perfect as the toy factory in China made your dice) and protecting it with a 20-bit key. Because 128-bit strong encryption is not secure enough, you're protecting your secrets with a 20-bit hiding place.

And that's assuming you actually have a well-defined set of a million distinct hiding places and choose each possible hiding place with equal likelihood, which you don't. A hiding place doesn't even qualify as a key; using a hiding place for crypto security violates Kerckhoffs's criterion at a basic level.

Back in the 1990s, there was a crypto crackpot who tried to promote a one-time-paddish cryptosystem where the pad was taken from a music CD bought at the store. His idea was that you and he would buy the same CD, presumably with cash, and the CD title would be the secret key. We had a hard time convincing him that this didn't meet the mathematical requirements for a one-time pad, in part because he was convinced the keyspace was "enormous." In reality, the keyspace was the number of CDs he could find in a store near both your home and his, which is probably in the 10s of thousands range---or 14-bit key.

All this because he was paranoid, and thought that the US government would read his messages if he used any proper cipher---and that, instead, he would be perfectly secure forever if he used some rinky-dink idea he slapped together.

Yes, but it's a bad analogy. You're taking an ad-hoc cipher invented before there was much science to cipher design, during a time when ciphers were routinely broken shortly after their publication because people didn't know what they were doing. You are comparing this to block ciphers developed after Shannon, after the Luby-Rackoff result and the Merkle-Damgard architecture, after linear and differential cryptanalysis and random oracle models and elliptic curves and a general explosion in understanding of how cryptosystems work.

You're essentially comparing a pre-science and a post-science technology. My analogy to biplanes is also a bad one, because people actually understood some aerodynamics when they built them. A better example might be pointing to a collapsing yurt to prove that skyscrapers are unsafe.

Xcott:dittybopper: Despite what you may have read, OTPs don't have to be perfectly mathematically random. They just have to be random enough in a non-deterministic way. In other words, if you roll a sequence like 77324, there can't be a way to mathematically derive that the next number is going to be 5, for example.

Wow, that's ... really, really, really false.

By definition, perfect secrecy requires that the a priori plaintext distribution equals the a posteriori distribution. That's an absolute requirement, and if you don't meet that, then there's really no point in putting up with all the other crap to use the cipher.

This means that it's not sufficient for the pad to be "random enough in a non-deterministic way." It has to have a specific kind of distribution that makes the plaintext and ciphertext independent. A uniform distribution achieves this, and an arbitrary non-uniform distribution does not.

If you want a simple example, here is a OTP-encrypted text (mod 26) where the pad is severely biased toward Z (90%) but it's still "non-deterministally random":

"WFENAHLYOUHAVEISAKAMMEREVERYTHINGLOOMSLIKLANADL"

You're telling me that nobody can deduce what this says because the noise, while slight, is non-deterministic? Har har, nobody will ever read my message because they can't prove what I said with 100% certainty! But wait, no, this is trivial to read. In fact, with a biased pad, certain plaintext values become more likely and certain values less likely. This violates perfect secrecy.

You may argue that a small bias, like 1-2%, doesn't make much of a difference. But then, your messages are no longer "forever safe." They are now vulnerable to the same impractical brute force analysis that you get with any other cipher.

OK, I posted an example of a pad using the same dice that are in the picture.

It consists of 5 number groups, 5 groups to a line, for 10 lines. That's 250 numbers. You would expect to find, based on purely even numbers, about 25 of each individual number, give or take.

The distribution is approximately what one would expect:

0 28 1 242 323 264 255 206 267 16 8 189 29

Of course, there is no way to really know for sure:

That's funny, because it's true.

Thing is, though, even if there is some small amount of bias, it would take really, really large amounts of traffic in order to become apparent.

Even when you detect a statistical anomaly, it won't really help you decipher the messages, because again, it's non-deterministic. You simply can't determine what the next key number will be based upon the previous ones. That's *REQUIRED*.

What you are describing isn't even remotely close to the definition of perfect secrecy (the mathematical property required of OTPs). Perfect secrecy is what makes OTP-encrypted text "forever safe." If your dice are biased, you won't have perfect secrecy. I'll say that again: if your dice are biased, you won't have perfect secrecy. It is not sufficient for the dice to be "non-deterministic": they have to have a specific distribution, a uniform distribution, that renders plaintext and ciphertext symbols independent. Biased dice won't give you that distribution.

I even gave you a counterexample, which you quoted in your reply: a perfectly crackable ciphertext whose key stream was very nonuniform but nevertheless random and non-deterministic. That should be enough to demonstrate why non-determinism isn't enough, and that nonuniformity makes a OTP breakable: if your dice are biased, you won't have perfect secrecy.

Again, you can find this stuff in any undergraduate crypto textbook. I strongly suggest you do so, because apparently your misconception of perfect secrecy is telling you that you can use a bad keystream, and that you don't need to care about bias in your source of randomness.

There are some ways to know for sure. You can just measure your dice with a micrometer to see if they have any oblateness. Oblateness correlates pretty well with bias. That's not the only possible source of bias, but it's certainly a bad sign by itself.

Just to be helpful, I decided to pull out my micrometer and measure some dice. Unfortunately, most of my dice are die-cast and untumbled (Gamescience is a good source for precision dice) but I found some toy-grade D6s with the smooth edges.

Three axes for each of three dice are roughly (inches):a) 0.615 0.614 0.607b) 0.611 0.623 0.620c) 0.611 0.617 0.617

These have an oblateness of around 0.1-0.3mm, and a flatness all around 0.01. With the numbers predicted in the article I cited, you might expect these dice to roll one of the flat sides 34% of the time, and the other sides each 33% of the time. So a 0.5% bias for two outcomes, not counting the effect of the rounded corners.

What does that mean, practically speaking? I wrote a little program to generate key streams with this distribution for a base-6 OTP, to see if this tiny bias lets me distinguish between a plaintext message of all 0s and a message of all 2s by examining the ciphertext using a likelihood ratio test. My probability of guessing the plaintext from the ciphertext depends on length:

Length 100: guessed right 55.6% of the timeLength 200: guessed right 56.35% of the timeLength 300: guessed right 59.35% of the timeLength 500: guessed right 61.45% of the timeLength 1000: guessed right 65.95% of the timeLength 5000: guessed right 80.70% of the time

(All simulations based on 1000 trials)

In all cases I did better than random when guessing the plaintext from the ciphertext, because of this tiny 1% bias in the die. In all cases, the ciphertext leaked information about the plaintext, and the vaunted perfect secrecy of the OTP did not exist.

Conclusion: if your dice are slightly biased, you don't have perfect secrecy.

OK, so you got me thinking: Just how random are those pages. So I ran some tests (frequency, chi-square). It was made tedious by the fact that I had to re-type them :-(

Interestingly enough, a couple pages actually failed, but taken as an entire group (250 groups per page, 15 pages worth, or 18,750 numbers), they were within the expected values for a random series (confidence 95%). I can only assume that the reason why a couple pages failed is that the sample size was too small.

dittybopper:Interestingly enough, a couple pages actually failed, but taken as an entire group (250 groups per page, 15 pages worth, or 18,750 numbers), they were within the expected values for a random series (confidence 95%).

Hi,

A chi-squared test at 95% confidence would not detect the kind of bias I mentioned above, unless you observed a lot more data.

If one axis of a D6 has a 34% chance of facing up, and if I am not mistaken, the Pearson Chi-squared test statistic has an expected value of roughly N/5000 for N die rolls. You'd have to observe over 55,000 values before the expected value exceeds the 95% confidence threshold for 5 degrees of freedom. And yet, with that slightly biased die, I can still guess from your ciphertext whether you sent 1000 0s or 1000 2s, and be right 65% of the time.

In general, a chi-squared test is a pretty loose test that can miss this kind of bias because (a) the biased die is very close to fair, and (b) it isn't a specific test for a specific kind of bias, and is therefore less powerful. If you knew the specific bias you were looking for---for example, if your micrometer tells you that 2 and 5 may be more likely than 1, 3, 4 and 6---you can test for that specifically and detect it more readily.

I would advise you to save a lot of typing and just measure your dice. If you have any suspicion that your dice might be a fraction of a percent off here or there, we can write a program to compute how much that slight discrepancy would compromise messages of different length. But in general, slightly nonuniform dice break the perfect secrecy of OTP encryption.